Safari doesn't require a user to give permission to download certain files, a fact which independent security researcher Nitesh Dhanjani predicted could lead to a "carpet-bombing" attack whereby attackers populate websites with malicious code Safari would automatically download to the desktop.

In a security advisory Microsoft says the flaw is also dependent on a vulnerability in how XP and Vista handle executable files on the desktop. Microsoft says it's not aware of any example of the flaw being exploited, but is working on the issue.

The advisory goes on to suggest, that people "restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple."